What are /r/OPNsenseFirewall's favorite Products & Services?

From 3.5 billion Reddit comments

Answering my own question....

​

Once realised I should be searching for HardenedBSD rather than FreeBSD, I found the answer immediately:

OPNSense 19.1 is based on HardenedBSD 11.2

(https://opnsense.org/opnsense-19-1-released/)

AdguardHome OPNsense plugin that has a few DNS rewrites for lookups of my local servers.

It passes on queries to Quad9. I used it have a separate PowerDNS server on my local net with block lists but I'm trying to simplify things a bit.

I have looked into DoT/DoH but I would entrust Cloudflare (or another DoT provider) with my entire DNS history. I rather let Unbound in resolver mode spread my DNS data over many servers through the Mullvad connection and not put everything in one basket.

Personally, both solutions are fine for my use case. Neither solution is better or provides more privacy IMO, it's just a matter of preference and who I rather entrust with my DNS data.

NTP is something I have to dig further into. Haven't heard of chrony, I'm gonna look into it. The author of the original pfSense guide also built a local GPS stratum-1 timeserver that looks really interesting.

It took me a good while to figure out, too. Especially how to get around Mullvad's DNS hijacking limitation of WireGuard, but haven't looked into it in-depth.

Real nice layout, great guide.

Have you checked out DNS over TLS? Do a test here: https://www.cloudflare.com/ssl/encrypted-sni/

Set primary/secondary DNS to 127.0.0.1. Make Unbound use DoT; . Redirect as before.

Do the same with NTP? Disable NTPD and enable Chrony with NTS pointing to time.cloudflare.com / other NTS enabled servers.

Forget everything everyone else has told you. Get ventoy. You put this on a USB stick and just dump ISOs into a folder. It makes all those bootable through a very easy to use list. It's revolutionary

https://www.ventoy.net/en/index.html

My guess is you have a policy to use Mullvad as the gateway for everything. You’ll want to create a similar policy to say “This Firewall” through the WAN gateway and make sure it is above the Mullvad policy.

Edit: or potentially in your existing policy create an invert match source for “this firewall” rather than any

Well, have you considered that being a bit of an overkill? DNS requests are encrypted with NordVPN for example anyways. Also, it prevents leaks. While DNScrypt does only solve the request side. Having two layers of that is not needed.

Also, I do have doubts OPNsense does allow to change default gateway for dnscrypt. Consider just using a VPN imho.

Here is the quick and dirty

Generate router config from the AirVPN website.

Open the Config in an editor

In OPNSense: System > Trust > Authorities > Add/Import Paste in the CA

System > Certificates > Add/Import Paste in Cert Paste in Key

OpenVPN > Client > New

Descirption Remote Server & Port Check 'Infinitely resolve remote server' Uncheck "Automatically generate a shared TLS authentication key." Paste in TLS key from config

Select Peer Cert Authority Select Client Certificate Set Encryption algorithem to AES-256-CBC

Compression - Disabled

This works, but if you want to grab all the extras:

nobind persist-key persist-tun auth-nocache route-delay 5 explicit-exit-notify 5 key-direction 1

Really glad to hear that. That's exactly what I shooted for when creating the theme. Retro-looking with an editor/terminal feel to it. I was a heavy user of Solarized before discovering Gruvbox which was actually designed for Vim, a terminal editor.

There are several DNS services that block domains that serve malware or act as malware command and control (C&C). I use https://www.quad9.net/ , but https://www.opendns.com/ is also good.

If you use one of these services, ONLY use that service. Don't mix services.

When you're on the firewall itself, that traffic won't be forced through your VPN. You have LAN interface rules that force traffic through your VPN. Traffic must pass in through (ingress) the LAN interface in order for that rule to apply. Traffic originating from the firewall does not ingress on any interface. It only exits (egress) an interface. That's why your pings are not working as expected.

It doesn't look like ProtonVPN will NAT your traffic for you, so you'll need an outbound NAT rule for that interface.

This tutorial is for pfSense. About half way through, it shows you how to set up the interface and outbound NAT rule. The setup under OPNsense is fairly similar.

I had problems getting the Motherboard/CPU so i had to search for something else.

I found this on sale and got it as a barebone. Works great do far :)

Right now I am running all my local devices through IVPN.... it was the easiest to setup.

I haven't decided if I will bypass VPN for certain devices. Mostly the issue is streaming via NetFlix. All my other streaming services have no issues - just Netflix and I'm basically at the point of just telling Netflix to get F*@ked... besides their content recently isn't really worth it.

I was relieved that my wife's business VPN also works within this... I had a previous VPN device that blocked her business VPN and she couldn't access the company's internal shared drives.

Even better - I am getting 500mg down and 250mg up - on my 1gb fiber service using VPN w/wireguard. that is on a network being used - I'll try it when there is no activity and report back!

Thanks for the info on how you made it work.

Are you now pushing all of the data from your network through IVPN, or are you able to only route some connections through there?

I'm just wondering how people are setting up these connections. I run into too many blocks while running a VPN to run it on my whole network all the time, as much as I would prefer to...

New to OPNSense and I bought a Zotac ZBOX, the barebones version. I had an SSD and spare SODIMMs laying around, so I put them in to make a complete system.

Quad core N3160 Celeron, 8GB (2x4GB) 1600Mhz RAM, and a 128GB SSD

I have followed this guide, but have added the following rules and interfaces, as well as a VPN screenshot.

I am able to connect using LAN, getting an address from DHCP.

BuiltIn and Wireless are receiving IP's on their proper range. I am unable to reach the management interface, even though Listen on all is selected.

I am also unable to reach anything outside of the network from BuiltIn or Wireless, although LAN works fine, and I have mirrored the rules from LAN to Wireless and BuiltIn

Ah. 1055, not 1075. That would explain it. This is the Q1075GE, though every time I try to change the ram/storage configuration it switches to 1055 so I'm not sure how much I'd trust that.

That should be fine, though I find it odd that they still use mSATA as late as 10th gen CPUs. I'd have expected M.2 SATA, if not NVME. Also, 32GB is tiny for the price, especially considering $22 gets you 256GB, and that's legit despite the no-name brand as I've been using it for ~2 years in my current Qotom. Aside from that, unless you're doing some massive IDS or running something on your router that you shouldn't, I can't imagine needing that much CPU.

Buying that won't be bad, necessarily, especially if you need 8 ports instead of just 4. But it's a weird mishmash of old and new.

Your best course of action here is to use a VPN that allows for port forwarding, such as Mullvad. You’d have configure your Xbox to send all traffic out the VPN gateway and setup the appropriate port forward.

Or you need an alternative to TMobile. I just read tonight that Verizon’s home 5G service does not do carrier grade NAT. So if you switch to Verizon, this problem would also go away.

I'm not familiar with the inner workings of wireguard, but I have a similar setup using OpenVPN. I've configured 3 OpenVPN clients (NordVPN) for different purposes;

1. Torrent and usenet
2. Guest traffic
3. Tunnel to the US to circumvent Geo-location barriers ffrom certain news outlets.

All these tunnels have virtual interface and gateways, and you can use the gateways to guide traffic through them with your firewall policies

1. The Torrent and Usenet traffic originates from 1 IP address, so I force all traffic from that IP through the first tunnel.
2. All traffic from this network/VLAN is 'routed' via a firewall policy through the second tunnel
3. Only destination websites/hosts that are present in a certain Alias are 'routed' through the third VPN.

One thing to consider is to make sure that the Torrent/Usenet traffic isn't routed over your default gateway when the associated VPN (gateway) is down to prevent leakage of that traffic.

This is a setting in the (advanced) Firewall settings of opnsense, and test it before moving to production :-)

In my case, the policy based routing gives me greater control of the traffic, than by using a routing based solution.

I don’t know about OpenVPN, but the WG UI has an option to disable automatic routes being created for my second tunnel, allowing policy-based routing to used instead to only send hosts I select down the Mullvad tunnel

I bought it barebones, no RAM and no storage for ~$350. However, I had a couple different memory modules that it wouldn't boot with, but I also had some memory from Topton (a different purchase) that did work, so be careful if you go this route to make sure your memory will work ok. Topton recommended Samsung memory only. I would guess that something like this RAM would work (though I haven't tried this specific memory).

I also use Samsung SSD 980 NVMe drives because they have no on-board cache and thus run much cooler than most NVMe drives and are still way faster than you need for a FW. So, all in it was less than $500.

I think what is happening here is the Chromecast is using the default DNS from the NordVPN tunnel and not the one I set on the DHCP server for this interface. But this is only happening on the Streaming devices, everything else will use the DNS I set.

Not sure this is what is happening but is a guess and the best I can tell with my limited knowledge.

Two things I have not tried yet is factory reset the Chromecast and setting the DNS under general, right now it is blank since I am using Adguard and didn't see a need to set a backup.

I have a similar setup with this Firewall (LAN) rule:

Interface: LAN

Direction: In

Source: UseNordVPN_US_Always (which is an alias of hosts I want routed through NordVPN)

Destination: any

Gateway: NORDVPN_US_VPN4

​

Is this (similar to) what your rule looks like?

Hi,

OVPN uses only a single core and heavily relied on AES support on the processor.

For some reason I had no great speed on a virtualized setup.

I use one of those 4 ethernet ports, passive cooled units with an i3 processor, 8GB RAM and 120GB nvme.

OPNsense runs on it like a charm. I set up the WireGuard type connection to AirVPN and got great speeds, like 400Mbs. I also on a 900/900 fiber line.

This machine use about 12W of electricity.

Same, though I don't run any IDS on it. The biggest issue I have with it is that the ports are mapped incorrectly. But you can figure out which is which from BIOS, then label them properly and you'll never have an issue. i5-5250U 4-core, 8GB, and I swapped in a 256GB mSATA when I switched from PFSense to OPNSense (I figured that'd make it easier to switch back if needed, by swapping the mSATA instead of reinstalling; I don't actually need that much space).

I have a similar setup. First, I set up NordVPN on OPNsense, but use aliases to only route the traffic on specific computers through the VPN gateway.

So all I have to do is enable/disable the alias for when I want my desktop (or other devices) to bypass the VPN.

It works nicely. In fact, I have multiple VPNs setup for different geographic regions and can switch by toggling the aliases. I use the same method for AdGuard as well.

I haven't had the time to use the API to control the aliases - I currently do it manually - but that's one of those future projects. The instructions I found online seemed easy enough.

Hmm, not sure I understand you correctly. As it currently stands, all devices on my network will use the NordVPN connection on OPNsense for outgoing traffic, with the exception of my PC because I made an exception for it (it will use WAN instead).

Deleting/disabling the NordVPN app on my PC would mean no VPN for my main PC, unless I disable the exception rule ofcourse. I'm not sure how adding routes on my PC would cause it to use the NordVPN connection on the router?

The idea of the LAN-only VPN server was that I can connect my PC to it (and set it to force all traffic through it), so I can configure OPNsense to route all that traffic through the NordVPN connection. This would enable easy toggling of WAN/VPN on my PC, with the added benefits of all additional services running on OPNsense.

Thanks for the response, after many days trying to get to something I finally ended not using that kind of Gateways. Monitoring is a nightmare with a lot of false errors (try just entering the config and saving, it shows 2 or 3 error on the log).
Its worse but I ended just using VM with the Mullvad app installed on them.

I think its something related to the dpinger service, but dont have the knowledge to fix it.

I picked up the NIC linked below (not affiliate or anything) and it's been running without issue since.

https://www.amazon.com/gp/product/B08FB83C1H/

If you check out the reviews, other than a handful of people having trouble hunting down Windows drivers the rest of the reviews are very positive (including at least one mention of pfsense in addition to my own experience).

Do you mean this one? https://www.amazon.co.uk/KALEA-INFORMATIQUE-Express-Gigabit-Ethernet-sieciowa/dp/B00ORY8VLURealtek rtl811"

I set one up myself about 4-5 weeks ago and this has happened twice. It's headless and in both cases I needed to get back online ASAP and didn't have time to attach keyboard and monitor to try figure out what the problem is. Hopefully some time I will. I'm running on one of these with 8GB RAM: https://www.amazon.com/gp/product/B08DFL2BM2/

BTW: There's nothing in /var/lo/* and the only information from 'dmesg' is:
tun0: changing name to 'wg0'

wg0: link state changed to DOWN

tun0: link state changed to UP

tun0: changing name to 'wg0'

wg0: link state changed to DOWN

over and over...

I've pinged the endpoint IPs just to make sure the NordVPN endpoint in the netherlands was up and running.

No problem, glad it helped. On the endpoint showing IPv4 only - if I understand your point correctly, that's because Mullvad only has IPv4 addresses for the endpoints. Look up DNS and you will find no AAAA records. So the tunnel is established over IPv4, but both IPv4 and IPv6 traffic is passed through it.

Wow, I really appreciate the update on the docs. Literally a few weeks before you posted this, I was looking all over the internet and couldn't find anything on how to do the last step with the Gateway for IPv6. Even asked places, but nobody replied. Been trying to do this for the past 6 months. Got IPv4 to work. Anyway, did what the updated docs said, and BAM, finally got a working Mullvad IPv6 Wireguard working correctly.

At first I gave up and was like, "eh, no need for IPv6", even though my main network was using it. So for the VLAN my PC was on I just ignored IPv6. However, I was running into issues with updates and the like, such as "apt update", since I'm a Linux user. So some of the repos were using IPv6 and IPv4. And since IPv6 wasn't working, credentials weren't correctly going through. So failures were happening. Therefore I just switched to Wireguard App on my PC specifically, instead of using a VLAN on my network.

Anyway, now just in the testing phase for the next few weeks to see if I run into anything that possibly couldn't work correctly.

What I did notice, not sure if possibly it's a OPNsense error, from the newest OS release: 22.1.2 or what. But when looking at the “list configuration” the stats show info, but on Endpoint, there is no IPv6 address, like you would see if you did a local instance of Wireguard vs an endpoint to a VPN, like Mullvad. Like you see in the “WireGuard Road Warrior Setup” when looking at the bottom at the example configurations.

Any who, appreciate the updated info, now I can rest haha.

Wow, I really appreciate the update on the docs. Literally a few
weeks before you posted this, I was looking all over the internet and
couldn't find anything on how to do the last step with the Gateway
for IPv6. Even asked places, but nobody replied. Been trying to do
this for the past 6 months. Got IPv4 to work. Anyway, did what the
updated docs said, and BAM, finally got a working Mullvad IPv6
Wireguard working correctly.
At first I gave up and was like, "eh, no need for IPv6", even though my main
network was using it. So for the VLAN my PC was on I just ignored
IPv6. However, I was running into issues with updates and the like,
such as "apt update", since I'm a Linux user. So some of
the repos were using IPv6 and IPv4. And since IPv6 wasn't working,
credentials weren't correctly going through. So failures were
happening. Therefore I just switched to Wireguard App on my PC
specifically, instead of using a VLAN on my network.
Anyway, now just in the testing phase for the next few weeks to see if I run into
anything that possibly couldn't work correctly.
What I did notice, not sure if possibly it's a OPNsense error, from the newest OS
release: 22.1.2 or what. But when looking at the “list
configuration” the stats show info, but on Endpoint, there is no
IPv6 address, like you would see if you did a local instance of
Wireguard vs an endpoint to a VPN, like Mullvad. Like you see in the
“WireGuard Road Warrior Setup” when looking at the bottom at the
example configurations.
Any who, appreciate the updated info, now I can rest haha.

1. Create a gateway for your "outside" VPN connection first. (i.e. Mullvad or whatever provider you are using.

2. Create a firewall alias to designate LAN traffic. (I call mine RFC1918_Networks.) Add all three private IP blocks to it.

3. Create a firewall rule in the incoming "home server" WireGuard VPN interface (not your VPN providers interface) to route all external traffic to the "outside" VPN gateway.

4. If you want the phone to be able to reach anything on the LAN, you are going to have to create another rule on the same interface to allow traffic to the LAN.

I did something similar but have not encountered any DNS issues. I'm not an expert - just want to help.

I set up NordVPN on OPNsense, but I do not want all clients on my network to use the VPN. (I did have to modify the NordVPN installation that is posted on the web.) I was able to set it up so only clients listed in the "Use_NordVPN_US" alias would send traffic through the VPN.

I think the first step would be to get everything working by default (DNS working, VPN installed, but no traffic through it, etc.)

Next, create an alias with the clients you want to use with the VPN.

Create a Firewall LAN rule with the following (above the default LAN rule):

Source: "Use_NordVPN_US" alias

Destination/Invert (checked)

Destination: LAN address

Gateway: NORDVPN_US_VPNV4-10.8.1.1 (or whatever gateway you have setup for the VPN)

Again, this is how I did it and it worked. Unfortunately, I reinstalled OPNsense and will have to recreate it again, but I think those are the two main items.

If you don't have a gateway already setup, I use these settings (System->Gateway->Single):

Name: (whatever - I used NORDVPN_US_VPNV4)

Interface: (whatever - I used NordVPN_US)

I just wanted to say thank you for the kindest version of, you should read the docs I've ever seen. Truly, much nicer than I've ever been. 😂

I understand the WAN fail over now, thank you. The gui part sort of but not in reference to IP Addresses, as I explain below.

VPN Client - I have setup the OPNSense box to be a VPN client for ExpressVPN. How do I configure which devices do through that VPN tunnel and which just go out the normal WAN? (some devices are blocked if they are on a VPN like Prime Video.)

And this could also still be the fact that I clearly am confused on how parts of routing and things work. Maybe it's that I don't understand the bridge mode recommended by others and/or turning off the NAT on the router...

If my router WAN IP address is 20.0.0.2 and the router LAN address is 192.168.0.1, then won't the OPNSense box on the other side of that WAN port be in the 20.0.0.0 network and unaccessible from everything on the 192 one?

That's the Firewall Rule and it's partly correct. The "Source" in that rule needs to be changed from "NordVPN_Manasas_8771_Traffic" to "LAN net".
You also need to correct the "Outbound NAT" rules that have "NordVPN_Manasas_8771_Traffic" defined as the source and change the "Source" to "LAN net"

For the NAT rules that currently have the Source as NordVPN_Manasas_8771_Traffic need to have the Source changed to the LAN IP block.

For LAN clients to use the NordVPN connect you need to have a rule on your LAN interface that has the NordVPN defined as the gateway.

The outbound NAT rule looks to be incorrect. The Source needs to be your LAN network.

For the LAN clients to be directed out the VPN tunnel the "Default allow LAN to any rule" firewall rule needs to be changed. The gateway needs to be the one created when setting up NordVPN. You could also make another rule with an Alias of IPs if you only want certain LAN clients to be forced out the VPN.

Wiitek SFP+ to RJ45 Copper Modules, 10GBase-T Transceiver Compatible for Cisco SFP-10G-T-S, Ubiquiti, D-Link, Supermicro, Netgear, Mikrotik, Unifi (Cat 6a/7, 30-Meter) https://www.amazon.com/dp/B07P39G4XJ/ref=cm_sw_r_cp_api_glt_i_WN31VRY163A7QBA55BWM?_encoding=UTF8&psc=1

Work like charm

Just throwing this out there. On OPNsense someone noticed you can use a cheaper Intel card for $40, and it works without adding drivers. I haven't used pfSense for a few years but assume it should work just the same.

QNAP QXG-2G1T-I225 Single Port 2.5GbE 4-Speed Network Card https://www.amazon.com/dp/B08FB83C1H/

I mean it depends on what you want to run.

I just spent $500 building mine using 2nd hand server grade stuff still trying for low power 35watt 6x10gb network ports.

Proxmox bare metal with opnsense, pihole, and docker for mine. Already have an epyc server in the rack Once I have my backup server built next week going to set up some HA stuff between the 3 for things that I don't want to go down.

For my parents I opted for even lower power J4125 with dual lan is still hard to beat. https://www.amazon.com/dp/B08DFL2BM2

Would have loved to get the N5095 or N5105 but nothing with dual lan.

Proxmox bare metal with opnsense, pihole, has os, and docker for parents.

Newbie, but having luck with this:
https://www.amazon.com/dp/B09J4H9ZXY?ref=ppx_yo2_dt_b_product_details&th=1

Even the onboard wifi works fine with PFSense, which I was warned was unlikely.

Do you think this would work fine for a 2.5gbe connection? https://www.amazon.com/dp/B083HZHL6Y/ref=cm_sw_r_cp_api_glt_i_ZMV5V639V92F7HWV9F57

I know the nic is intel, i’m assuming the i225 chip. Would probably be my cheapest option since I don’t have a mobo yet and even getting the cheapest one ($80) + a separate nic would be more expensive. Do you know if the driver issues have been sorted out yet?

Yup, sticking a gigabit SFP in the WAN port of my BCM57810S card got upload speeds back to where they should be for the GF 1 gig plan (testing 940-950 Mbps up and down on GF's speed test, 940 Mbps down/900-920 Mbps up on on the Fast.com [Netflix] speed test, each multiple times)

However, the BCM57810S card seemingly didn't recognize the 1G module (OPNSense didn't recognize the WAN NIC was there in the GUI, even though it showed as up in the console), even after rebooting the OPNSense box and the Fiber Jack, until I reloaded the 2.5G modded Broadcom/Marvell drivers (I had gone back to stock drivers when it became clear the modded drivers didn't help with the 10G module on the WAN port) and restarted OPNSense again.

Log processing needs to be done by the CrowdSec agent - it can be configured with a db backend to scale better. So a bit like that - but also completely differently :-) The beauty of CrowdSec is that all components of the ecosystem communicates via http(s) rest api so it can run distributed as one wishes. You can read more about the architecture here and how to set up a multi-server setup here.

Just adding to what u/anditails posted below (which sounds like it would address or at least help with your needs). Link to the beta with notes:

https://pi-hole.net/2020/01/19/announcing-a-beta-test-of-pi-hole-5-0/

First off, thanks for your work! Would it be possible to somehow add the lists found in uBlock Origin's filter lists? Basically, not just ads, but its categories overall. It's incredibly efficient (I know some lists are already included in your plugin). An example where ads are still visible is on Youtube i.e. not in the videos themselves, but for instance with "sponsored" content tagged as an ad.

I tried those and they didn't work.

On Ipv4, I have 2 tunnels to 2 external endpoints, one with 100.0.64.1 and the other had 100.0.64.2 as monitor IP. However dpinger reports both tunnel have almost the same latency despite that 2 external endpoints are physically very far (one in Asia and one in Europe). I suspect that dpinger is sending ICMP packets through very same tunnel and I'm actually monitoring just one tunnel, not both. Is there any alternative you can come up with?

Perhaps we should ask Mullvad these questions.

I tried all kinds of settings, including block private ip addresses and bogons, no difference. The part that is bizarre is it used to work up until a week or so ago, and ExpressVPN works fine. I thought someone who is smarter than I would have an idea what would be different for the two services or something obscure. Thanks anyway for taking your time, it is appreciated. Is there a way to completely put a few IP addresses outside of the OPNsense NAT? I tried a few things in rules, but nothing seemed to work. I don't care if those boxes are firewalled or adblocked.

Thanks. That makes perfect sense. Many others seems to be switching for the same reasons. I did the switch too some years ago and I’ve never regretted it. Upgrades never fails and menu options are more or less the same. So I am happy. Also, there seems to be other interesting open source projects making themselves available on OPNsense, among others CrowdSec.

You need to contact OPNsense, see here: https://opnsense.org/support-overview/professional-services/

Imo, If you're planning on selling the software/hardware to customers, it might make sense to stick with their hardware since it'll be validated, and will come with support.

What version of OPNsense are you running? There was a bug that could set up the secondary DHCP server wrong prior to 21.7.4.

With bad config on the secondary, you'd see problems like this for only interfaces affected by the bug. Details are at the links below.

https://github.com/opnsense/core/issues/5002

https://opnsense.org/opnsense-21-7-4-released/

1. I've to config and enable Unbound DNS server in OPNsense (because I don't have any in my topology) and add host override for my private subdomains (I add wildcard for whole domain).
2. I've to add push DNS server for OpenVPN config on OPNsense which I set on one of my OPNsense DHCP pool gateway (this VLAN where I've my Nginx Reverse Proxy Server)
3. I've to add NAT forwarding with is describe in pfSense tutorial on page 24:

​

Port forward contents: – Interface: LAN – Protocol: TCP/UDP – Destination: Invert Match checked, LAN Address or This Firewall (self) – Destination Port Range: 53 (DNS) – Redirect Target IP: 127.0.0.1 – Redirect Target Port: 53 (DNS)

1. Ofcourse I've to add address pool of VPN IPv4 Tunnel Network in CIDR format (eg. 10.0.8.0/24) to my nginx server config.

1. I've to config and enable Unbound DNS server in OPNsense (because I don't have any in my topology) and add host override for my private subdomains (I add wildcard for whole domain).
2. I've to add push DNS server for OpenVPN config on OPNsense which I set on one of my OPNsense DHCP pool gateway (this VLAN where I've my Nginx Reverse Proxy Server)
3. I've to add NAT forwarding with is describe in pfSense tutorial on page 24:

​

Port forward contents: – Interface: LAN – Protocol: TCP/UDP – Destination: Invert Match checked, LAN Address or This Firewall (self) – Destination Port Range: 53 (DNS) – Redirect Target IP: 127.0.0.1 – Redirect Target Port: 53 (DNS)

1. Ofcourse I've to add address pool of VPN IPv4 Tunnel Network in CIDR format (eg. 10.0.8.0/24) to my nginx server config.

>Edit - Do you have a recommended USB wifi dongle?

The people at GL.Inet have a list of recommended dongles on their support site. We use Alfa AWUS036ACS 802.11ac AC600 Wi-Fi Wireless Network Adapter - Wide-Coverage External USB Adapter w/ 2.4GHz & 5GHz Dual-Band Antenna, Compact Design for Windows, MacOS & Kali Linux https://www.amazon.com/dp/B0752CTSGD/ref=cm_sw_r_apan_glt_fabc_YDV5HF6HJXS59RHJ7SFK?_encoding=UTF8&psc=1

>So it is capable of acting as a wifi client via a usb wifi dongle for the “WAN” connection while simultaneously using it’s built-in wifi to serve other clients?

Exactly. And in the middle it does your VPN, DNS and Killswitch.

>Also, how do you configure the usb wifi dongle when you are on the go?

Hotels logins rely on the MAC address of the device to decide who has paid / accepted TOS and who should be sent to the captive portal.

You have a few choices to "warm up" the dongle before using it on a travel router.

1) stick it in the laptop, log into a guest account, bring up the captive portal. Log in. Remove dongle. Put in travel router. Boot travel router. It will in most cases be live now and not need captive portal again.

2) Spoof MAC address of dongle on another device. Log in. Shut down, boot router with dongle.

3) boot router with dongle. Stuff won't work because crypto like DNS over TLS and VPN rely on an accurate clock which in most cases it n/a unless you pass the captive portal first and can resolve DNS / reach NTP servers. Disable VPN Killswitch, disable DNS features on router. Captive portal now pops up on clients behind the router. Use a device / account that isn't sensitive.

Log in. Re-enable security features. Connect actual clients.

Kudos to hotels who leave you logged in for a month. Boo to hotels who wanna pop the captive portal every damn day.

We used to use Netgate SG-1100

Now we use

GL.iNet GL-MT1300 (Beryl) VPN Secure Travel Gigabit Wireless Router, AC1300 400Mbps (2.4GHz) + 867Mbps (5GHz) Wi-Fi, Pocket-Sized Hotspot, IPv6, Tor, MicroSD Slot, USB3.0 for Wi-Fi Repeater https://www.amazon.com/dp/B08MKZXGBY/ref=cm_sw_r_apan_glt_fabc_TZ3SA5JYSXZ68WHABFVA?_encoding=UTF8&psc=1

It has WireGuard and Adguard built in. You use 9t together with a USB Wifi Dongle. The dongle will "catch" the hotel wifi and provide WAN. The built in wifi will provide you with your secure SSID, Adguard will filter your DNS for you and you wireguard back to the opnsense box at base.

Amazing. Something like this: https://www.amazon.com/Gigabit-Ethernet-Controller-1000Mbps-RTL8168C/dp/B00B524102/ref=sr_1_1?keywords=Mini+PCI+Express+Gigabit+Ethernet&qid=1638907598&sr=8-1

?

Also, mind sharing which laptop model you have, or what I would need to look for in a laptop to find out if it has this port? Thanks

This isn't the first time I see Ruckus mentioned. Any particular model or reason ?

I'd like to privilege an open source approach and saw that, for example, you can flash openwrt on Ubiquiti APs: https://openwrt.org/toh/ubiquiti/unifi_ap_pro

It's not open source but Pritunl works well. Single signon. Supports openvpn, ipsec and wireguard. You can use native clients or theirs.

Admin pretty easy. You can setup organizations that have different network access.

It's a service running on your FW - it's pretty much there! :)

You can add blocklists to Unbound and run it that way - but it's a lot larger to look up why a site/app isn't working, read the logs of a certain device, etc. as it all just does it in the background with no info for you to peruse.

​

The other option is to just change your upstream DNS for your WAN connection to Adguard DNS. Maybe that will suit you? Or at least set them as your DNS servers in the DHCP Server setup.

AdGuard Home is a straightforward setup. You can do DNS over HTTPS/TLS right out of the box. I have quite a few DNS rewrites in there for a split-brain with my external facing domains - but that is not that common.

I have them running as separate instances on my ProxMox virtual server.

https://adguard.com/en/adguard-home/overview.html

use wireguard. Handles split tunnel easily and is much, much faster than openvpn.

I used wireguard at my previous company to handle about 150 users and 4 site-to-site connections. I used openwrt on a virtual appliance for management (1 vcpu, 1gb of ram), opnsense would work fine too.

AFAIK it's been running for 2 years now without any issues or hiccups.

I'm not sure if this is something you're doing purely for the learning experience (in which case, awesome project), so these suggestions may or may not be helpful.

First if you'd just like to get this done, check out PiHole as an alternative DNS server. It's made for Raspberry Pi, but runs very nicely in a VM.

If you'd really like to do it in OPNsense, maybe try using the /etc/hosts file as your block list (instead of creating the new one in /etc/extra/). Adding entries there should preempt any DNS resolution.

If nslookup on your client network still doesn't come out like you'd hope, maybe double-check that you don't have DNS manually set on the client-side.

Neither of these ideas is quite what you're asking for, but maybe they'll lead you in a useful direction.

This is perfectly possible.

I tested this with the official WG client and generated the config files on the Mullvad website. The only thing I had to do was adding port 51820 to the `OUT_PORTS_WAN` alias.

Well I think Mullvad would let you push as much, their "owned" servers are capable of 10 Gbps. It depends on your hardware and I'm not sure how the non-kernel WG implementation would handle such bandwidth requirements.

Through the Mullvad tunnel? I bought the DEC because I had a Gigabit connection at the time of purchase. Unfortunately I changed back to a 200/100 Mbit connection before implementing the VPN WAN. I can completely max. out that connection with around 50% CPU utilization.

I had Compression on 'No Preference' because there's no option to disable. I changed it to 'Legacy - Disabled LZO algorithm'. There's also no option to Disable IPv6. I know this guide by NordVPN is old so that's probably why I'm having trouble here.

I did all that and there's still no difference when performing step 13. I have all of the same options available to me as before.

Thank you.

I actually used Mullvad for years and had no issues with them, but always heard that Nord was as good, if not better, and I got a deal from BestBuy on a subscription. That said, I'm still in the 30-day return window, so I'd love to hear your beef with them. They seem highly rated on the various VPN spreadsheets and the like.

Anyway, thanks for your suggestions. I tried both of them to no avail. Didn't seem to effect any of my symptoms. (I had high hopes for the reply-to switch; that looked interesting.)

Obligatory don't use NordVPN. On the next billing cycle, switch to Proton or Mullvad. :D

Now that that's out of the way, could you try going to Firewall -> Settings -> Advanced and select Disable reply-to? I've had my OPNsense do some insanely weird stuff until I happened upon that option.

Your ports look right.

I have Valheim Dedicated Server running in my homelab. I use LinuxGSM setup (https://linuxgsm.com/lgsm/vhserver/) Everything works.

There is an issue where steam doesn’t properly show the status on servers window.

depends... i just use amazon & netflix on my firetv ao i made a fw rule to route everything from the source ip of the firetv through the normal wan gateway

if you wan to use it on any device in your net then you need to filter by target ips

https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

https://ipinfo.io/AS2906

If you have a dedicated interface on your opnsense box you could configure that interface with a new subnet (192.168.200.x), put the media server on that, set up firewall rules to allow the traffic across your LANs (and probably NAT to redirect port 80 to 8096).

Are you able to reconfigure emby to use port 80? That seems like a one line config change and no messing with your network topology ( https://emby.media/community/index.php?/topic/87858-emby-on-port-80-ubuntu-server/).

If you want more control over which devices can access the media server (e.g. Stop IoT from accessing it) you would be better putting it on a different subnet so you can tailor the firewall rules.

Brilliant, I've had a machine on the local network set up with RDP allowed, a really long complex password etc, and I know I shouldn't, and no don't, but enabling this IDS and checking behaviour has shown me a brute force attack against that machine I was unaware of, from a IP in the netherlands https://tools.keycdn.com/geo?host=185.132.134.35

Checking the security logs on the Win10 machine in question there's been a brute force running on it for at least three days.

Thank you, for attracting my attention to this part of OpnSense.

To support my previous comment. Compare it to another line of code which does require both user/pass (which just so happens to be the next case in the dydns plugin code).

case 'dnsexit': curl_setopt($ch, CURLOPT_URL, 'https://update.dnsexit.com/RemoteUpdate.sv?login=' . urlencode($this->_dnsUser) . '&password=' . $this->_dnsPass . '&host=' . $this->_dnsHost . '&myip=' . $this->_dnsIP); break;

Note the use of both dnsUser & dnsPass and other parameters. The plugin I mentioned uses only use the dnsPass, which is where the hash or API key (for this provider) is required.

case 'freedns': curl_setopt($ch, CURLOPT_URL, 'https://freedns.afraid.org/dynamic/update.php?' . $this->_dnsPass); break;

hth

Yes it’s just a curl hook so code any way you wish. Pay per client not server license so I have on both ipad and iPhone for one price and serving from a few diff processes on diff computers https://pushover.net/

Yes, I've done that as well as used fast.com and the speeds seem to be reasonable. Of course, it's hard to tell what speed we're getting at the time that our WAN connection goes down, but it should be better than 30/12. :/

https://www.zabbix.com/

opnsense has the zabbix package so linking them is easy.

rsyslog -> promtail -> loki -> grafana also but tbh, i don't really need to use it much (https://github.com/grafana/loki)

MAC ADDR spoofing is one Google search away, and how to's circulate thru schools like candy. Unless your kids are in Elemantary school, this "parental control" method will last a day or two at most. If you're really worried, buy a 5-pack of NetNanny - $55 USD. Controls both desktops and mobile devices - to date, as long as strong passwords were used - it has yet to be bypassed.

I am not sure what exact instructions I used to configure VPN; something like this: https://www.ovpn.com/en/guides/opnsense but I don't know if this is the one*.*

Forcing VPN: OPN's DHCP server assigns network parameters to clients so computers just use OPNsense's LAN IP address as a gateway. Few clients have static IP, but they also use same GW.

Routes:

I second what's been pointed out in both previous posts by filetransferpolice.

Looks like (at face value) the transparent proxy portion still needs setting up.

Unless you give the firewall a direction of where to redirect the traffic then the rules in the image above will only block everything on ports 80/443 (but other ports would still work).

The transparent proxy needs to be configured correctly before you can do web filtering.

It is also correct that if you plan on deploying an SSL transparent proxy, that you need a MITM setup. Running a MITM setup (and SSL bumping) can be a headache for a variety of reasons, sometimes there's a protocol mismatch and you'll get a site refuse to load because the proxy can't negotiate a secure connection, whilst some devices will refuse to work unless SSL bumping isn't correct for every single URL they access (some PayTV boxes for example have URLs change with firmware updates for security reasons). You also need to add a pile of domains to the SSL bump list if you want them to work properly as well (there's 5 for reddit alone to ensure you can watch live broadcasts and comment on them etc).

I would suggest that if you're only really implementing Web Filtering to make your home network 'family friendly', you're better off creating rules to intercept all DNS requests and get OPNsense to forward those to something like OpenDNS Family Shield etc.

I didn’t realize opnsense was a legit subreddit. Last I heard someone from pfsense was still squatting on it similar to the crap around the opnsense(dot)com domain.

https://opnsense.org/opnsense-com/

https://opnsense.org/opnsense-20-7/

Known issues and limitations:

o i386 architecture builds are no longer available

Not sure about self compiling, but pretty sure installing an older version and trying to update will fail, as the kernel and other components are updated during that process.

As far as I have understood it, the last accept means it should be accepted no? Or do I have to manually enable that? The only mDNS mention I found in the docs was in regards to locking down UDP:

tag udpserver id 1000 default 0 ;

accept ipprotocol udp and tor udpserver 1 or chr multicast ;

break ipprotocol udp;

Section 3.5.2 of the manual: https://www.zerotier.com/manual/

This error showed up on freshclam log.

​

-> Update failed. Your network may be down or none of the mirrors listed in /usr/local/etc/freshclam.conf is working. Check https://www.clamav.net/documents/official-mirror-faq for possible reasons. Wed Mar 20 13:09:09 2019 -> Giving up on database.clamav.net... Wed Mar 20 13:09:06 2019 -> ERROR: Verification: Can't verify database integrity Wed Mar 20 13:09:06 2019 -> Downloading main.cvd [100%]

looks like rufus didn't create the bootable USB correctly. Download the *.img file from the opnsense.org site. Make sure you pick your needed image (nano, VGA, Serial).

Download Win32DiskImager and use this tool to write the img file to the USB drive.

As for your USB drive, you may need to start over. Open cmd and use diskpart:

DISKPART> list disk

Disk ### Status Size Free Dyn Gpt -------- ------------- ------- ------- --- --- Disk 0 Online 419 GB 0 B Disk 1 Online 698 GB 0 B * Disk 2 Online 476 GB 1024 KB * Disk 3 Online 3824 MB 0 B

DISKPART> select disk 3

Disk 3 is now the selected disk.

DISKPART> clean

DiskPart succeeded in cleaning the disk.

DISKPART>

make sure you select your USB drive, in my case, it was disk 3, but use list disk to find your USB disk. The empty drive will show up in Win32DiskImager, and you then write the img to it.

If you have the stuff to test it on a VM first that'd be the best way.

Best of luck, I hope you enjoy it as much as I do :)

PS. A bunch of us chill out in #opnsense on freenode (https://freenode.net/)

I'm using OpenVPN with Mullvad, so that all traffic goes through them. It's been working great for the last couple of years I've been using this setup. My connection is 100 mbit fiber, and the speed and stability is very good.

I rarely encounter any captchas or other problems. If I do, all I have to do is log in to OPNsense and restart the VPN service. Then I get a new IP from Mullvad, and everything is back to normal.

Thanks. I’ll check this out. All I know is with NordVPN I have to have it off more than on. Since I’ll be applying this network wide I don’t want others to have blocked websites and captchas left and right. I think at one point I had to use a captch to use google.

Update: IVPN doesn't support port forwarding on Wireguard - so I removed my internal server from my wireguard configuration and installed the IPVN app on it natively and am using OpenVPN on that.

Still not sure what to do with the port forward from IVPN though?

I was hoping it might help me with my external access to my nextcloud server??

Re-do the official Roadwarrior doc. You have a ton of unnecessary stuff in here related to something like a Mullvad connection (gateways, no routing, etc etc). None of that applies to the Roadwarrior and in fact breaks it. Once you’ve followed the official docs to the letter, if you’re still having issues, DM me.

It doesn’t appear you actually want a Roadwarrior setup. It appears you’re trying to connect to Mullvad which is a different setup.

Or are you trying to route through OPNSense with a remote host back out Mullvad? In which case you need two different tunnels.

Can you please explain? Mullvad is just a VPN service right?

I have a VPN service from Lan to Wan using Torguard. Thats my 1st interface.

What I want here is to allow people from outside my network access to specific folders on my Nas. Thats what they mean by roadwarrior right? Allowing outsiders access to (parts of) your network?

I read that I cant disable routes since once you have more than one interface you need to disable routes to even have it pop up and be able to create the interface. And I need the interface to create the rule, right? At least thats what I understand from the docs.

I'll check when I'm home where I found this piece of wisdom about interfaces, but it was somewhere on the official forums.

The rule I created is copypasta from the official documentation linked in my post. If you have a better guide, I would be happy to see it.

I just saw you told someone else you're overseas. But this is the link. Currently it's $198 with $10 off instant coupon. https://www.amazon.com/dp/B08SQS7NWQ I got mine with a $50 off instant coupon and my buddy did too. They change it up. But now is one of the worst times in history to buy new PC hardware with the chip shortage, shipping issues, etc. Sorry if I ended up not being that helpful

> Why ask why, instead of just answering what I'd requested. These subs always lack focus.

https://xyproblem.info

Your problem is double NAT. You don't want to solve the double NAT. Sucks to be you. Just go buy a cheap wireless router, put it in AP mode, and stop using Xfinity's trash.

Interestingly enough, I queued up a bunch of torrents (distro ISOs) from a linux VM with NordVPN last night and started experiencing these issues again.

OPNsense and all networks routed on it were reachable, but couldn't get to the internet. I was able to reproduce several times.

PIA has been acquired by Kape Technology, a malware company that also acquired CyberGhost and, just recently, ExpressVPN...